malwarewikiaorg-20200223-history
CrySiS
CrySiS is a ransomware that runs on Microsoft Windows. It was spotted back in March 2016 and is still active today. Since its initial release, CrySiS had multiple updates, changing the file extension and the contact email to a different one. CrySiS is known for Dharma and Phobos. Due to similarities found in CrySiS and Dharma, security experts often call the group of these two cyber threats as CrySiS/Dharma ransomware family. In February 2017, TrendMicro research team has revealed some staggering statistics, indicating that Crysis has doubled the number of brute force attacks against corporations and institutions just within the month of January 2017. The parasite which had previously targeted mainly Australia and New Zealand is now expanding to the rest of the world, and the experts keep recording a growing number of attacks in Europe and US. The virus especially focuses on healthcare institutions and looks for ways to infiltrate their inner networks. Brazil, Argentina, and Turkey suffered from the malware the most. Payload Transmission CrySiS was distributed via malicious spam emails that included some infected attachment. If a victim was tricked into opening it, the malicious payload was dropped on the system. In September 2016, malware researchers reported about a new method which CrySiS ransomware uses to infiltrate computers. The virus now uses Remote Desktop Protocol (RDP) to infiltrate computers instead of the previously practiced distribution using spam emails and deceptive software updates. This distribution strategy allows searching the Internet for unprotected RDP channels and connecting to them. The computer admin’s password required to do that can be extracted by brute-forcing malicious attacks and finding a crack in the system. Infection Before the actual installation, and before the start of the encryption process, the ransomware owners drop some keylogging programs through which they can monitor the victim's activities, and collect general system data as well as personal data related to the particular user. Exactly through such credentials harvesting and monitoring activities, the hackers can extend the scope of the attack and compromise other devices or resources connected to the same network. At the same time, the collected data also allows the hackers to customize the amount of the required ransom, depending on whether their victim is an individual user or a company. As a consequence, this amount can reach thousands of dollars if a CrySiS variant has hit a large corporate network. After installation, among the first actions performed by the ransomware is to create its own startup keys in the Windows registry, as well as copies of its code in folders containing legit Windows files, like C:\Windows\System32, C:\Program Data, C:\Program Files, and C:\Users\Programs\Startup. This is done in order to ensure the malware's persistence and to allow the encryption of recently created files. Malicious files, processes, and registry keys belonging to CrySiS can have random different names, so it is hard to recognize them immediately and to distinguish them from legitimate object belonging to the Windows operating system. This is one of the reasons why the removal of this ransomware typically requires a professional malware cleaning tool. The next step in CrySiS routine is to scan all files on the hard disk of the infected computer, comparing them against an inbuilt list of files suitable for encryption. Almost all popular file formats are included in that list, ensuring that the malware manages to identify and encrypt all files that can possibly contain valuable user data in any form. Furthermore, Crysis has turned into a real high-profile ransomware threat as its latest versions are capable of encrypting nearly every single file on the infected machine, including system files with no extension and executable files, and that no matter of the file location - on fixed, removable or networked drives. Before the encryption routine, CrySIS deletes all the Windows Restore Points with the following command: vssadmin delete shadows /all /quiet command As for the encryption engine employed by CrySiS ransomware, as typical for the entire ransomware family, CrySiS uses a mixture of RSA encryption and AES-128 encryption algorithms with the private key being stored on the hackers' server. Since its first appearance in 2016, the different ransomware threats from the CrySiS family have appended different extensions to the encrypted files. In a chronological order starting from the very first version onwards, these extensions are: .crysis, .dharma, .wallet, .onion, .arena, .cobra, ,java, .arrow, .bip, .cmb, .brr, .gamma, .bkp, .monro, .boost, .adobe, .cccmn, .AUDIT, .tron. The latest version of CrySiS detected in the middle of November this year adds the .Back and .Bear extensions to the locked files, while in some cases, the contact address of the attackers is also added to the name of the encrypted files, as well as a unique victim ID that is individually generated to each infected user. After the encryption is complete, CrySiS creates ransom notes in the form of text files in which the malware owners explain how they should be contacted by the victim and how the ransom should be paid. The malware typically creates two files for the ransom note - one HTML file that opens automatically and replaces the user's default desktop image, and a TXT file which is placed on the desktop, and in some cases, also in any infected folder. These ransom note files can be named Help_Decrypt_FILES.html, Help_Decrypt_FILES.txt, info.hta, Files encrypted!!.txt, while the ransom note itself states the following: Attention! Your computer was attacked by virus-encoder. All your files are encrypted cryptographically strong, without the original key recover is impossible! To get the decoder and the original key, you need to to write us at the email:dalailama2015@protonmail.ch with subject "encryption" stating your id. Write in the case, do not waste your and our time on empty threats. Responses to letters only appropriate people are not adequate ignore. P.S. only in case you do not receive a response from the first email address within 48 hours please use this alternative email goldman0@india.com. The two email addresses given in the CrySiS ransom note belong to domains located in the Czech Republic and India. A version that appeared in late 2017 instructs its victims to contact a different email address for payment instructions, namely cranbery@colorendgrace.com. Other known addresses used by the malware to communicate with its victims include Decryptallfiles@india.com, Tree_of_life@india.com, mailrepa.lotos@aol.com, Guardware@india.com. CrySiS can also deploy additional Trojans and other threats on the infected computer, allowing the attackers, for example, to spy on all user activities in real time. Popular malicious payloads dropped by Crysis ransomware also include cryptocurrency miners, keyloggers, and other viruses. Removal Free decryption tools have been released for certain versions released before May 2017. Category:Ransomware Category:Win32 ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan Category:Virus Category:Win32 virus